IIS Installs in a Locked-Down Mode

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

When you install IIS 6.0, it is locked down — only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. None of the features that sit on top of IIS are turned on by default, including ASP, ASP.NET, CGI scripting, FrontPage®  2002 Server Extensions from Microsoft, and Web Distributed Authoring and Versioning (WebDAV). This locked-down state minimizes the attack surface that is available to intruders, who sometimes target computers by attacking services that are running but that are unused. These attacks can happen if, for example, an administrator forgets to turn off an unused service, and then to maintain it with current hotfixes, service packs, and security updates. Over time, the service might become increasingly vulnerable to attackers.

IIS 6.0 installation and service-enabling features simplify administration and management of IIS services for security purposes. For example:

  • You can install and enable services when you need them.

  • If you need additional services, you can enable them through the Web Service Extensions node in IIS Manager.

  • When enabled features are no longer required, you can disable them through the Web Service Extensions node in IIS Manager.

Important

It is possible to use the Web Service Extensions node to allow all unknown ISAPI and CGI extensions, but this presents a security risk and is not recommended. This option is available for use in development and test environments, but it should never be enabled on a production server.

IIS Lockdown Tool Capabilities Are Built-in

You cannot install the IIS Lockdown Tool in IIS 6.0. However, to prevent the WWW service from being disabled after an upgrade, you can run the IIS Lockdown Tool prior to upgrading from an earlier version of IIS. When you upgrade from a server running Microsoft Windows® 2000 Server and IIS 5.0, IIS 6.0 runs in IIS 5.0 isolation mode by default, and IIS implements the following security measures:

  • UrlScan functionality is left unchanged. UrlScan is a tool that reduces the attack surface of Web servers running earlier versions of IIS. By default, IIS 6.0 has features that significantly improve security by reducing the attack surface of the Web server. UrlScan provides flexible configuration for advanced administrators, while maintaining the improved security in IIS 6.0. When you need this flexibility in configuring your Web server, you can run UrlScan on IIS 6.0.

  • Web service extensions that are mapped to 404.dll are mapped to their original location and added to the Web service extensions list with a prohibited status.

  • Access control lists (ACLs) for WebDAV are reset correctly, and WebDAV is added to the Web service extensions list with a prohibited status.

  • Indexing Service is left disabled, and existing ACLs are unchanged.